Information Governance Framework. June 2015

Size: px
Start display at page:

Download "Information Governance Framework. June 2015"

Transcription

1 Information Governance Framework June 2015

2 Information Security Framework Janice McNay June Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review Date June 2018 Officer Responsible for Review Janice McNay

3 Information Security Framework Janice McNay June POLICY STATEMENT 1.1 Thirteen Group and its partner companies need to collect, use and hold information about people in order to operate effectively and efficiently and ensure that services appropriate to the needs of employees and customers are provided. 1.2 This information may be personal and/or sensitive, and may be collected, recorded and stored both manually on paper and/or electronically. It is vital that any information, however it is collected or stored, is dealt with lawfully and correctly and there are safeguards in place in the Data Protection Act 1998 to ensure this. 1.3 This framework aims to detail the organisational and legislative requirements with regards to the following: Data protection; ICT security; Confidentiality; Access to information; and Document management. 1.4 The need to adhere to this framework and associated policies is included in both the terms and conditions of staff employment and the Code of Conduct applicable to all staff and Board Directors. Any breaches will be investigated and where a serious breach has occurred disciplinary action may be taken. 2 REFERENCE MATERIAL 2.1 The following information has been used when developing this framework: Data Protection Act 1998 Data Protection Principles Guidance from the Information Commissioner s Office (ICO) website Data Protection Good Practice Guidance 3 DEFINITIONS 3.1 A full list of definitions is attached at appendix A. 4 POLICY CONTENTS 4.1 Data Protection The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. The framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The legislation itself is complex, but is underpinned by a set of eight straightforward, common-sense principles: Principle 1: Principle 2: Personal information must be fairly and lawfully processed Personal information must be processed for limited purposes

4 Information Security Framework Janice McNay June Principle 3: Principle 4: Principle 5: Principle 6: Principle 7: Principle 8: Personal information must be adequate, relevant and not excessive Personal information must be accurate and up to date Personal information must not be kept for longer than is necessary Personal information must be processed in line with the data subjects rights Personal information must be secure Personal information must not be transferred to other countries without adequate protection These principles must be followed by anyone processing personal data. More detailed information regarding the principles is attached at appendix B Use of Employee Protection Register / Concerns Markers Thirteen Group has a duty under the Health and Safety Act 1974 to provide a safe working environment for its employees. As many employees come into direct face-toface contact with customers and clients as part of their work, in situations which are sometimes volatile or that may present other risks to the safety of staff. Thirteen Group therefore recognises the necessity of using an Employee Protection Register / Concerns. However, it may be that sensitive personal data is included in the Employee Protection Register / Concerns Marker and therefore usage of the Employee Protection Register / Concerns Marker must comply with the Data Protection Act Data Sharing Agreements Employees and Board Directors working for and on behalf of Thirteen Group must understand the importance of good practice when dealing with personal and sensitive personal data held in customer records, and appreciate the rules by which individuals data may be accessed and processed. Thirteen Group expects that data held by the organisation or any companies acting on behalf of the Group will be treated as confidential at all times, and will be processed in accordance with the Data Protection Act 1998 and Thirteen Group s other policies and procedures. Data will not be made available to third parties for commercial or marketing purposes. Organisations using any type of data held by Thirteen Group will have to sign up to a data sharing agreement and be bound by the requirements of that agreement Data Security Breaches A data security breach can happen for a number of reasons, for example: loss or theft of information on which data is stored; unauthorised access; equipment failure; human error; and fire or flood. If a potential breach is identified action will be taken to ensure the matter is contained and if possible the information recovered; an assessment of ongoing risk is made; there is notification of the breach to the affected parties as required; and there is evaluation of the effects of the breach and the response. Action may include disciplinary investigations if employees are involved.

5 Information Security Framework Janice McNay June ICT Security Employees and Board Directors must use Thirteen Group s information technology and communications facilities sensibly, professionally, lawfully, and consistently, with respect for colleagues and for customers and in accordance with this framework and Thirteen Group s other policies and procedures Use of Electronic Thirteen Group s facilities are provided for business purposes. facilities provided by Thirteen Group should not be abused, and only authorised users of the Group s computer systems are entitled to use facilities. The use of the Group s facilities assumes and implies compliance with this framework. Thirteen Group s other policies and procedures; and the Data Protection Act Every user has a duty to ensure that they practice appropriate and proper use and must understand their responsibilities in this regard. Complaints received from both internal and external sources, regarding any unacceptable use of which involves Thirteen Group s facilities Use of Internet / Intranet Thirteen Group provides access to the information, resources and facilities of the Internet to help employees and Board Directors do their jobs more efficiently and effectively. Thirteen Group has implemented security measures to block inappropriate content and entrusts employees and Board Directors to use the Internet and Intranet in a professional way which avoids any question of inappropriate use. Consider that when visiting websites, information identifying the PC may be logged. Therefore any activity may be associated with the Thirteen Group Misuse of Facilities Misuse of Thirteen Group s facilities and systems, including its telephone, and internet systems, will be treated seriously and dealt with in accordance with Thirteen Group s disciplinary procedures. The Group reserves the right to undertake a detailed investigation in accordance with Thirteen Group s disciplinary procedures and information and data on electronic or paper records may be used as evidence. Where this is the case information to identify individuals will be redacted where required System Security Security of Thirteen Group s ICT system is of paramount importance. We owe a duty to all of our customers to ensure that all of our business transactions are kept confidential. If at any time we need to rely in court on any information which has been stored or processed using Thirteen Group s IT systems, it is essential that we are able to demonstrate the integrity of those systems Remote Working This applies to an employees and Board Directors use of Thirteen Group s devices, e.g. laptops, tablets, and mobile phones; and also to employees and Board Members

6 Information Security Framework Janice McNay June use of their own computer equipment or other computer equipment. Essential remote working practices will be outlined within Mobile Working Procedures Personal blogs / websites Thirteen Group expects employees and Board Directors to conduct themselves appropriately and in a manner which is consistent with a contract of employment and with Thirteen Group s policies and procedures. This includes when creating, updating, modifying or contributing to blogs, message boards and other content sharing sites outside of working hours including when using personal IT or the Group IT system during non working hours Social Media Thirteen Group currently uses social media to communicate effectively with customers and stakeholders. Employees and Board Directors must be aware at all times that, when contributing to social media activities involving comments/views about the Group they are acting as a representative of the organisation. This framework provides for effective use of social media whilst protecting the organisation's business information and any client or customer information within its custody, or safekeeping by safeguarding its confidentiality, integrity and availability. The personal use of social media is not allowed during work time, Users of social media should also be aware that if any activity is found to call the Groups integrity into questions appropriate investigations and action will be taken Monitoring Communications Thirteen Group is ultimately responsible for all business communications but will, so far as possible and appropriate, respect an employee or Board Director s privacy and autonomy whilst working. Thirteen Group may monitor your business communications for reasons which include: providing evidence of business transactions; ensuring that the Group s business procedures, policies and contracts are adhered to; complying with any legal obligations; monitoring standards of service, staff performance and for staff training; preventing or detecting unauthorised use of Thirteen Group s communications systems or criminal activities; and maintaining the effective operation of Thirteen Group s communications systems Use of Cloud Storage Systems Use of cloud computing services by employees and Board Directors for work purposes must be formally authorised by Thirteen Group s IT Manager. Thirteen Group s IT Manager will certify that Thirteen Group s security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor. This is necessary to protect the integrity and confidentiality of Thirteen Group s data and the security of the corporate network Printing Thirteen Group strives to provide quality and cost effective print, copy, and scan services to meet the needs of employees and Board Directors whilst taking into consideration the impact of printing on the organizational sustainability goals.

7 Information Security Framework Janice McNay June Encryption Encryption provides an enhanced level of assurance that data being used cannot be viewed or otherwise discovered by unauthorised parties in the event of theft, loss or interception. Employees and Board Directors are required to employ Thirteen Group approved encryption techniques to preserve the confidentiality and integrity of, and control accessibility to, Group data which is classified as private and confidential where this data is processed, stored or transmitted. 4.3 Confidentiality The Group is aware of its responsibilities when using or handling confidential information. There is a requirement that employees and Board Directors shall not misuse any information or allow others to do so. Confidential information must be used, processed, and handled in accordance with this framework; Thirteen Group s other policies and procedures; and the Data Protection Act Sharing Confidential Information between Employees and Board Directors Within Thirteen Group, confidential information should only be available to employees and Board Directors who genuinely need to know confidential information to carry out their work effectively. Only facts from confidential information should be shared with the necessary and appropriate employees and Board Directors. Where confidential information is shared to an entire team, care should be taken to ensure that there is a legitimate need for the entire team to have access Confidential Correspondence Employees and Board Directors will have access to confidential correspondence and, when handling, should exercise care and caution when handling correspondence received into Thirteen Group, i.e. envelopes, marked confidential or personal should be handled in accordance with administration procedures, policies, and the Data Protection Act Multi-Agency Partnerships Thirteen Group recognises the necessity of working with other agencies so that we are able to meet the needs of customers, clients or prospective customers and clients so that employees and Board Directors can carry out their work effectively. The Group will aim to maintain a balance between the need for confidentiality and the sharing of information necessary to make an effective response to other agencies requesting information. Employees and Board Directors should only share information with other agencies on a need-to-know basis, though the overarching principle should be to obtain consent Anonymous Information

8 Information Security Framework Janice McNay June Where employees or Board Directors of the Group are given information from anonymous sources the information will be passed to the relevant team for reference, or where appropriate, to take action to investigate any allegations that may be included within the information. All employees and Board Directors required to ensure that personal information gained from an anonymous source remains confidential Disclosure of Confidential Information Where requests are made for the disclosure of personal information employees and Board Directors must consider whether the consent of the individual concerned should be sought. The Group s overarching principle is that an individual s consent should be sought before disclosing personal information to other individuals or organisations, and confidential information should only be shared in exceptional circumstances. However, the Data Protection Act 1998 reinforces the Crime and Disorder Act 1998 in that it allows for the disclosure of personal information, where the disclosure is for the purposes of the prevention and detection of crime, or the apprehension or prosecution of offenders; and where failure to disclose would prejudice those objectives Breaches of Confidentiality All Thirteen Group employees and Board Directors have a duty of care to ensure that personal information remains confidential. Discussing customers, clients, former customers or clients, rehousing applicants or other employees in public places or in an unprofessional context is unacceptable. Customers, clients, contractors, employees, and Board Directors are all expected to respect the rights of others to confidentiality. Although the Group recognises that most breaches of confidentiality occur not out of malice but through thoughtlessness and lack of awareness of the consequences of an action any breach of confidentiality will be considered a serious issue and this could be regarded as gross misconduct where following investigation evidence shows that this has occurred. 4.4 Access to Information Thirteen Group believes that people have a right to see what information is kept about them, and fully endorses the principles of data protection, as specified in the Data Protection Act 1998 and other related legislation. Requests for information will be processed within the requirements of the Act and the access to information procedure followed when requests are received Freedom of Information The Freedom of Information Act 2000 gives any individual, regardless of age, nationality, or residence the right to access recorded information held by public sector organisations, as a registered charity, Thirteen Group is not obliged to meet with the requirements of this act however, as a commitment to being open and transparent the Group will consider reasonable requests for information.

9 Information Security Framework Janice McNay June Data Subject Access Request In accordance with the Data Protection Act 1998, applicants / customers/clients/ former customers/clients have a right to know what information Thirteen Group holds about them; what we use the information for; and to whom we have disclosed that information or to whom we may disclose that information to. Applicants can therefore make a request for this information by following the Data Subject Access Request Procedure Accuracy of Personal Data Applicants / customers/clients /former customers/clients have a right to request that information held by the Group, which they believe is inaccurate to be corrected or removed. If the information is not amended for a justifiable reason, the Group will provide an explanation as to why this has been decided. If the individual then disagrees with the decision this will be should recorded Employee Requests for Information In accordance with the Data Protection Act 1998, job applicants; employees; and former employees have a right to know what information the Group holds about them; what we use the information for; and to whom we have disclosed that information to or whom we may disclose that information to. This applies to information held in Thirteen Group s computer records and manual files. This information can be requested by using the Data Subject Access procedure Third Party Requests for Information Occasions may occur where third parties contact the Group to request information relating to a customer/client/applicant or former customer/client. Where this is the case third party consent to share this information must be received, or an informed decision be made to allow the information to be released without consent. This includes requests from relatives, other agencies, local authority councillors, MPs and Board Directors. 4.5 Document Management Thirteen Group will manage all documents and records created or received, using a reliable and well-designed system which describes the standards of practice the Group requires to manage and dispose of records Electronic Document and Records Management Thirteen Group endorses the use of electronic document and records management and expects employees and Board Directors to manage documents and records electronically wherever and whenever possible.

10 Information Security Framework Janice McNay June Document Retention A records retention schedule document is in place which sets out the classes of records the Group retains and the length of time these records need to be retained before final disposal action is taken (i.e. destruction or transfer to our archiving facility). The document retention schedule applies to information regardless of its format or the media in which it is created or might be held Disposal of Documents and Records All confidential documents and records will be disposed with in an appropriate way to ensure the security of that data. Equality and Diversity Customer Involvement and Consultation Monitoring and Review Responsibility

11 Information Security Framework Janice McNay June For use by the Governance team Date agreed at Erimus Board Date agreed at Housing Hartlepool Board Date agreed at Tees Valley Board Date agreed at Thirteen Care and Support Board Date agreed at Tristar Homes Board Date agreed at Thirteen Group Board Date added to Index Date added to Internet Date added to Intranet Linked to Policy or Procedure Number Linked to Strategy Number

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Council Policy. Records & Information Management

Council Policy. Records & Information Management Council Policy Records & Information Management COUNCIL POLICY RECORDS AND INFORMATION MANAGEMENT Policy Number: GOV-13 Responsible Department(s): Information Systems Relevant Delegations: None Other Relevant

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1 Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Version: 1.0 Date: October 2013 Table of Contents 1 Introduction The need for a Data Protection Policy... 3 2 Scope... 3 3 Principles... 3 4 Staff Roles & Responsibilities... 4 5

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Information Governance Policy

Information Governance Policy Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY

More information

Information Governance

Information Governance CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this

More information

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19 Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Somerset County Council - Data Protection Policy - Final

Somerset County Council - Data Protection Policy - Final Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Approval date: June 2014 Approved by: Board Responsible Manager: Executive Director of Resources Next Review June 2016 Data Protection Policy 1. Introduction Data Protection Policy

More information

Scotland s Commissioner for Children and Young People Records Management Policy

Scotland s Commissioner for Children and Young People Records Management Policy Scotland s Commissioner for Children and Young People Records Management Policy 1 RECORDS MANAGEMENT POLICY OVERVIEW 2 Policy Statement 2 Scope 2 Relevant Legislation and Regulations 2 Policy Objectives

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013 Use of Social Networking Websites Policy START DATE: March, 2013 NEXT REVIEW: March 2015 COMMITTEE APPROVAL: Joint Management Trade Union Committee CHAIR S SIGNATURE: STAFF SIDE CHAIR S SIGNATURE: DATE:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

PRIVACY POLICY Personal information and sensitive information Information we request from you

PRIVACY POLICY Personal information and sensitive information Information we request from you PRIVACY POLICY Business Chicks Pty Ltd A.C.N. 121 566 934 (we, us, our, or Business Chicks) recognises and values the protection of your privacy. We also understand that you want clarity about how we manage

More information

The Manitoba Child Care Association PRIVACY POLICY

The Manitoba Child Care Association PRIVACY POLICY The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) PRIVACY POLICY (Initially adopted by the Board of Directors on November 16, 2007) PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation ) The Corporation is committed to controlling the collection,

More information

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format. University of Westminster Personal Data Protection Policy For Compliance with the Data Protection Act 1998 1. Background 1.1 The Data Protection Act 1998 (DPA) defines personal data as data and information

More information

Privacy Policy Draft

Privacy Policy Draft Introduction Privacy Policy Draft Please note this is a draft policy pending final approval Alzheimer s Australia values your privacy and takes reasonable steps to protect your personal information (that

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Title Author Approved By and Date Review Date Mike Pilling Latest Update- Corporation May 2008 1 Aug 2013 DATA PROTECTION ACT 1998 POLICY FOR ALL STAFF AND STUDENTS 1.0 Introduction 1.1 The Data Protection

More information

Child and Adult Services Subject Access Requests Guidance

Child and Adult Services Subject Access Requests Guidance Child and Adult Services Subject Access Requests Guidance This Guidance is not applicable to Access to Information requests about Adoption. For requests about Adoption please consult the Adoption and Children

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Information Sharing Policy

Information Sharing Policy Information Sharing Policy REFERENCE NUMBER IG 010 / 0v3 February 2013 VERSION V1.0 APPROVING COMMITTEE & DATE Clinical Executive Committee 5.2.13 REVIEW DUE DATE February 2016 West Lancashire CCG is committed

More information

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:

More information

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams.

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams. Whistleblowing Policy (HR Schools) 1.0 Introduction Wainscott school is committed to tackling unlawful acts including fraud, corruption, unethical conduct and malpractice regardless of who commits them,

More information

AASA Online Privacy Policy CRP.020

AASA Online Privacy Policy CRP.020 Introduction Alzheimer s Australia SA Inc values your privacy and takes reasonable steps to protect your personal information (that is, information which identifies or may reasonably be used to identify

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

Dublin City University

Dublin City University Dublin City University Data Protection Policy Data Protection Policy Contents Purpose... 1 Scope... 1 Data Protection Principles... 1 Disclosure of Personal Data... 2 Summary of Responsibilities... 3 Rights

More information

Policy on Public and School Bus Closed Circuit Television Systems (CCTV)

Policy on Public and School Bus Closed Circuit Television Systems (CCTV) DEPARTMENT OF TRANSPORT Policy on Public and School Bus Closed Circuit Television Systems (CCTV) Responsibility of: Public Transport Division TRIM File: DDPI2010/3680 Effective Date: July 2010 Version

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268 This guidance is suitable for Public Disclosure Owner of Doc:

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014 Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document

More information

CORK INSTITUTE OF TECHNOLOGY

CORK INSTITUTE OF TECHNOLOGY CORK INSTITUTE OF TECHNOLOGY DATA PROTECTION POLICY APPROVED BY GOVERNING BODY ON 30 APRIL 2009 INTRODUCTION Cork Institute of Technology is committed to a policy of protecting the rights and privacy of

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

Third Party Security Requirements Policy

Third Party Security Requirements Policy Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,

More information

DATA PROTECTION CORPORATE POLICY

DATA PROTECTION CORPORATE POLICY DATA PROTECTION CORPORATE POLICY Information Management V1.1 03 July 2012 Not protectively marked This policy must be complied with fully by all Members, Officers Agents and Contractors of Plymouth City

More information

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk Data Protection Act 1998 The for the Borough Council of King's Lynn & West Norfolk 1 Contents Introduction 3 1. Statement of Intent 4 2. Fair Obtaining I Processing 5 3. Data Uses and Processes 6 4. Data

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

DISCIPLINARY PROCEDURE

DISCIPLINARY PROCEDURE DISCIPLINARY PROCEDURE 1. Purpose and Scope 1.1 The Company s procedure is designed to help and encourage all workers to achieve and maintain standards of conduct, attendance and job performance. The Company

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Information Governance Strategy & Policy

Information Governance Strategy & Policy Information Governance Strategy & Policy March 2014 CONTENT Page 1 Introduction 1 2 Strategic Aims 1 3 Policy 2 4 Responsibilities 3 5 Information Governance Reporting Structure 4 6 Managing Information

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

Barnet Partnership Information Sharing Protocol

Barnet Partnership Information Sharing Protocol Barnet Partnership Information Sharing Protocol Information Sharing Protocol V1_0C - FINAL Page 1 of 52 Version 1.0 (FINAL) Contents 1 Background... 4 1.1 The need to share information... 4 2 Scope...

More information

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager Document Reference Number Date Title Author Owning Department Version Approval Date Review Date Approving Body UoG/ILS/IS 001 January 2016 Information Security and Assurance Policy Information Security

More information

Human Resources Author: Lou Hassen Version: 1 Review Date: Dec 2012 Page 1 of 7. Trinity Academy Disciplinary Policy

Human Resources Author: Lou Hassen Version: 1 Review Date: Dec 2012 Page 1 of 7. Trinity Academy Disciplinary Policy Page 1 of 7 Trinity Academy Disciplinary Policy Policy Statement The purpose of the Disciplinary Procedure is to give staff members every opportunity to improve standards of behaviour and conduct and to

More information

OFFICIAL. NCC Records Management and Disposal Policy

OFFICIAL. NCC Records Management and Disposal Policy NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy

More information

SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE

SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE (Insert Your Organisation Name) uses social media in its work and recognises that those who are involved in its work

More information

St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy

St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Learn, sparkle & shine St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Adopted from the LA Policy April 2015 CONTENTS Page No 1. Introduction 1 2. Guiding Principles

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

USE OF INFORMATION TECHNOLOGY FACILITIES

USE OF INFORMATION TECHNOLOGY FACILITIES POLICY CI-03 USE OF INFORMATION TECHNOLOGY FACILITIES Document Control Statement This Policy is maintained by the Information Technology Department. Any printed copy may not be up to date and you are advised

More information

Data Security and Extranet

Data Security and Extranet Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Corporate Data Protection Policy

Corporate Data Protection Policy Corporate Data Protection Policy September 2010 Records Management Policy RMP-09 GOLDEN RULE When you think about Data Protection remember that we are all data subjects. Think about how appropriately and

More information

Data Protection for the Guidance Counsellor. Issues To Plan For

Data Protection for the Guidance Counsellor. Issues To Plan For Data Protection for the Guidance Counsellor Issues To Plan For Author: Hugh Jones Data Protection Specialist Longstone Management Ltd. Published by the National Centre for Guidance in Education (NCGE)

More information

PS 172 Protective Monitoring Policy

PS 172 Protective Monitoring Policy PS 172 Protective Monitoring Policy January 2014 Version 2.0 Statement of legislative compliance This document has been drafted to comply with the general and specific duties in the Equality Act 2010;

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Information Circular

Information Circular Information Circular Enquiries to: Brooke Smith Senior Policy Officer IC number: 0177/14 Phone number: 9222 0268 Date: March 2014 Supersedes: File No: F-AA-23386 Subject: Practice Code for the Use of Personal

More information

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each; DATA PROTECTION POLICY Introduction TWM Solicitors maintain certain personal data about individuals for the purposes of satisfying operational and legal obligations. The Data Protection Act sets rules

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

3. Consent for the Collection, Use or Disclosure of Personal Information

3. Consent for the Collection, Use or Disclosure of Personal Information PRIVACY POLICY FOR RENNIE MARKETING SYSTEMS Our privacy policy includes provisions of the Personal Information Protection Act (BC) and the Personal Information Protection and Electronic Documents Act (Canada),

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

E-SAFETY POLICY 2014/15 Including:

E-SAFETY POLICY 2014/15 Including: E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; OBJECTS AND REASONS This Bill would provide for (a) the regulation of the collection, keeping, processing, use or dissemination of personal data; (b) the protection of the privacy of individuals in relation

More information

Credit Union Code for the Protection of Personal Information

Credit Union Code for the Protection of Personal Information Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve

More information

Conditions of Use. Communications and IT Facilities

Conditions of Use. Communications and IT Facilities Conditions of Use of Communications and IT Facilities For the purposes of these conditions of use, the IT Facilities are [any of the University s IT facilities, including email, the internet and other

More information

Last updated: 30 May 2016. Credit Suisse Privacy Policy

Last updated: 30 May 2016. Credit Suisse Privacy Policy Last updated: 30 May 2016 Credit Suisse Please read this privacy policy (the ) as it describes how we intend to collect, use, store, share, and safeguard your information. By accessing, visiting or using

More information

The Manitowoc Company, Inc.

The Manitowoc Company, Inc. The Manitowoc Company, Inc. DATA PROTECTION POLICY 11FitzPatrick & Associates 4/5/04 1 Proprietary Material Version 4.0 CONTENTS PART 1 - Policy Statement PART 2 - Processing Personal Data PART 3 - Organisational

More information

Pacific Smiles Group Privacy Policy

Pacific Smiles Group Privacy Policy Pacific Smiles Group Privacy Policy Pacific Smiles Group Limited and its related bodies corporate (PSG, we, our, us) recognise the importance of protecting the privacy and the rights of individuals in

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY OBJECTIVE To provide users with guidelines for the use of information technology resources provided by Council. SCOPE This policy

More information

Information Technology and Communications Policy

Information Technology and Communications Policy Information Technology and Communications Policy No: FIN-IT-POL-001 Version: 03 Issue Date: 10.06.13 Review Date: 10.06.16 Author: Robert Cooper Monitor Changes Approved by: Board of Governors Version

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

PROTECTION OF PERSONAL INFORMATION

PROTECTION OF PERSONAL INFORMATION PROTECTION OF PERSONAL INFORMATION Definitions Privacy Officer - The person within the Goderich Community Credit Union Limited (GCCU) who is responsible for ensuring compliance with privacy obligations,

More information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

STAFF & GOVERNOR USE OF SOCIAL MEDIA AND INTERNET SITES POLICY

STAFF & GOVERNOR USE OF SOCIAL MEDIA AND INTERNET SITES POLICY Page 1 of 7 Alveston CofE Primary School has adopted this policy from the Local Authority. INTRODUCTION Social media includes online social forums such as Facebook, Twitter and LinkedIn, and websites such

More information

Data Protection Policy

Data Protection Policy Internal Ref: NELC 16.60 Review date December 2016 Version No. V04 Data Protection Policy 1 Data Protection Statement Data Protection Policy 1.1 North East Lincolnshire Council recognises that in order

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice University of Birmingham Closed Circuit Television (CCTV) Code of Practice University of Birmingham uses closed circuit television (CCTV) images to provide a safe and secure environment for students, staff

More information

POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES

POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES January 2003 CONTENTS Page 1. POLICY FRAMEWORK 1.1 Introduction 1 1.2 Policy Statement 1 1.3 Aims of the Policy 1 1.4 Principles

More information

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY 1. Purpose 1.1 The Data Protection Act 1998 ( the Act ) has two principal purposes: i) to regulate the use by those (known as data controllers) who obtain,

More information

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website Date created: November 2015 Date for review: July 2016 Created by: Mark Vanstone,

More information